Chapter 4 Virus Scanning Service
(Tasks)

About Virus Scanning

Data is protected from viruses by a scanning service, vscan, that uses
various scan engines. A scan engine is a third-party application,
residing on an external host, that examines a file for known viruses. A file
is a candidate for virus scanning if the file system supports the vscan service,
the service has been enabled, and the type of file has not been exempted.
The virus scan is then performed on a file during open and close operations
if the file has not been scanned with the current virus definitions previously
or if the file has been modified since it was last scanned.

The vscan service can be configured to use multiple scan engines. It
is recommended that the vscan service use a minimum of two scan engines. The
requests for virus scans are distributed among all available scan engines. Table 4–1 shows the
scan engines that are supported when configured with their most recent patch.

Table 4–1 Antivirus Scan Engine
Software

Antivirus Software

ICAP Support

Symantec Antivirus Scan Engine 4.3

Is supported

Symantec Antivirus Scan Engine 5.1

Is supported

Computer Associates eTrust AntiVirus 7.1

Computer Associates Integrated Threat Management 8.1

Is not supported [Requires installation of the Sun StorageTek 5000 NAS ICAP Server for
Computer Associates Antivirus Scan Engine. Get the package from the Sun Download Center:.]

Trend Micro Interscan Web Security Suite (IWSS) 2.5

Is supported

McAfee Secure Internet Gateway 4.5

Is supported

About the Vscan Service

The benefit of the real-time scan method is that a file is scanned with
the latest virus definitions before it is used. By using
this approach, viruses can be detected before they compromise data.

The following describes the virus scanning process:

When a user opens a file from the client, the vscan service
determines whether the file needs to be scanned, based on whether the file
has been scanned with the current virus definitions previously and if the
file has been modified since it was last scanned.

If the file needs to be scanned, the file is transferred to
the scan engine. If a connection
to a scan engine fails, the file is sent to another scan engine. If no scan
engine is available, the virus scan fails and access to the file might be
denied.

If the file does not need to be scanned, the client is permitted
to access the file.

The scan engine scans the file using the current virus definitions.

If a virus is detected, the file is marked as quarantined.
A quarantined file cannot be read, executed, or renamed but it can be deleted.
The system log records the name of the quarantined file and the name of the
virus and, if auditing has been enabled, an audit record with the same information
is created.

If the file is not infected, the file is tagged with a scan
stamp and the client is permitted to access the file.

Using the Vscan Service

Scanning files for viruses is available when the following requirements
are met:

At least one scan engine is installed and configured.

The files reside on a file system that supports virus scanning.

Virus scanning is enabled on the file system.

The vscan service is enabled.

The vscan service is configured to scan files of the specified
file type.

The following table points to the tasks you perform to set up the vscan
service.

To add a scan engine to the vscan service with default properties,
type:

#vscanadm add-engine engine_ID

See the manpage for the vscanadm(1M) command for a description of the
command.

How to View Vscan Properties

View the properties of the vscan service, of all scan engines,
or of a specific scan engine.

To view the properties of a particular scan engine, type:

# vscanadm get-engine engineID

To view the properties of all scan engines, type:

# vscanadm get-engine

To view one of the properties of the vscan service, type:

# vscanadm get -p property

where property is one of the parameters described
in the manpage for the vscanadm(1M) command.

For example, if you want to see the maximum size of a file that can
be scanned, type:

# vscanadm get max-size

How to Change Vscan Properties

You can change the properties of a particular scan engine and the general
properties of the vscan service. Many scan engines limit the size of the files
they scan, so the vscan service's max-size property
must be set to a value less than or equal to the scan engine's maximum allowed
size. You then define whether files that are larger than the maximum size,
and therefore not scanned, are accessible.

Use the “VSCAN Management” RBAC profile to obtain
the authorizations needed for managing the vscan service.

Specify that access is denied to any file that is not scanned
due to its size.

# vscanadm set -p max-size-action=deny

See the manpage for the vscanadm(1M) command for a description of the
command.

How to Exclude Files
From Virus Scans

When you enable antivirus protection, you can specify that all files
of specific types are excluded from the virus scan. Because the vscan service
affects the performance of the system, you can conserve system resources by
targeting specific file types for virus scans.

Use the “VSCAN Management” RBAC profile to obtain
the authorizations needed for managing the vscan service.